On September 14, 2021, the SEC brought an unusual enforcement action against App Annie, a so-called “alt data” provider, and its co-founder. A link to the SEC’s release is here. As set forth in the settled SEC order, App Annie provides an analytics product to app companies that allows those companies to track the performance of their apps. The app companies give App Annie access to their confidential app performance metrics to enable App Annie to perform the analytics. App Annie also generates an “alt data” research product, estimates of app performance, that is created by aggregating and anonymizing the confidential app data it obtains from the app companies. App Annie sold subscriptions to the estimates of app performance to over 100 investment firms. App Annie had represented to those customers that the estimates were generated through a statistical model that used aggregated and anonymized data, that App Annie had policies and procedures in place to prevent the misuse of the confidential app company data, and that the app companies had consented to App Annie’s use of their data in this way.

However, the SEC alleged that in reality App Annie was breaching those representations because it was using the actual confidential app company information to manually enhance the output of the statistical model to make that output closer to the actual confidential app performance metrics. The SEC alleges App Annie did so to make its “estimates” more valuable to trading firms so that the firms would continue to pay App Annie for the estimates.

Notably, the SEC did not allege that the manually enhanced data was itself material. Rather, the SEC alleged that App Annie’s representations that it used a statistical model to generate the estimates based on aggregated and anonymized data, and that it had internal controls to prevent the misuse of confidential information, were material to the trading firms’ decisions to purchase App Annie’s estimates. Thus, the fraud here was not passing along MNPI, but the misrepresentations made to the trading firms about the compliance aspects of the estimates (that said, a $10 million penalty was imposed, large for a case like this, suggesting that there was more going on here than is reflected in the settled order).

Section 10(b) and Rule 10b-5, the provisions allegedly violated, require that a misrepresentation be made “in connection with” the purchase or sale of securities. That is why when we think of a material misrepresentation under the federal securities laws we usually think of a representation directly bearing upon an investment decision. App Annie’s compliance representations are a bit removed from the firm’s trading decisions. Nevertheless, courts have interpreted the “in connection” requirement elastically enough that the SEC is probably within bounds, albeit barely, on this one. Is this in any event an example of rulemaking through enforcement? I don’t think so. The hallmark and problem with rulemaking through enforcement is that it is unfair to blindside market participants by bringing an enforcement action on a subject that had previously not been seen as illegal. Here, App Annie knew that its manual adjustments of the estimates was wrong and that its representations to the trading firms were false – so no one was blindsided.

For research firms, the message of this case – to play by the rules – is clear. First, it is a good idea to have internal training and policies designed to prevent the acquisition of MNPI or confidential information. There should also be policies in place to address the steps to take if the firm comes into possession of MNPI. Certainly if the firm obtains confidential information and attempts to repackage it in a benign way (like App Annie was supposedly doing), the process needs to be carefully thought through with counsel. Finally, if you are telling customers that you are taking certain compliance steps, make certain that you are actually doing what you say.

For investment firms the case is a good reminder of the importance of policies concerning the use of third party research providers. It is important to have written agreements with providers that contain representations from the provider that they understand the securities laws’ insider trading prohibitions, that they do not obtain MNPI or confidential information, that they will not pass along any such information if they do come into possession of it, and that they have internal policies covering these issues. It is also a good idea to gain an understanding of how the data providers gather information, why they believe they are not obtaining MNPI or confidential information, and see samples of the research output. Investment firms are not held to a standard of assuring that third party data providers are following the rules, but depending on the circumstances (i.e., the more “alt” the data) it is a better idea to have diligence steps like those noted above to rely upon in addition to contractual representations. And as with many compliance topics, if common sense or anything else tells you the information you are receiving is too good to be compliant – bring it to the attention of compliance or counsel right away. As an aside, if a research provider is actually receiving MNPI as part of its business, as App Annie appears to have been doing, investment firms may want to be circumspect about using such a provider as a source of research. Or if so, then even deeper diligence is a good idea.